SP1 and Directory Services: What’s New

Updated to include SP1 being RTM and some last minute fixes that were included post RCHi all, Ned here again. Back in October I joined the Windows Server 2008 R2 Service Pack 1 beta support team. Our job is to support customers in a special early adopters program. As SP1 has now released, I’m frequently asked about what changes were added for Directory Services. Today I address some specifics:

What does “Support for Managed Service Accounts (MSAs) in secure branch office scenarios” mean, as stated in the SP1 “notable changes” doc?

What does “Support for increased volume of authentication traffic on domain controllers connected to high-latency networks” mean, as stated in the SP1 “notable changes” doc?

What other updates are included in SP1 for Directory Services?

Remember, the QFEs listed below are all publically available, so if you are skimming the list and have a “oh heck, we’re having that issue” moment you can install anytime. Some of these issues are preventable as well so use your best judgment – an update to prevent NTFS corruption doesn’t fix the damaged files, after all.

In this case you have RODCs in a network that users can directly access, but those same users cannot access writable DCs (a DMZ or oddly configured branch office). After you apply SP1 the RODC will know how to forward the request on to a writable DC for MSA operations.

To fix it is install SP1 (or that hotfix) on all your RODCs.

The authentication thing

This scenario referenced by the release notes refers to:

A time-out error occurs when many NTLM authentication requests are sent from a computer that is running Windows Server 2008 R2, Windows 7, Windows Server 2008, or Windows Vista in a high latency network – http://support.microsoft.com/kb/975363

This one is more complicated. Netlogon has a “throttle” that controls the maximum number of simultaneous calls over a secure channel. On DCs this includes the secure channels of external trusted domains (i.e. not Kerberos forest trusts). On member computers this is to authenticating DCs for intra-forest requests or requests to other domains/forests. On high latency networks with a ton of NTLM authentication, applications could start having issues authenticating, ranging from slow performance to errors. MaxConcurrentAPI controls this through a registry value:

The default value if this registry value name does not exist is 1 if a DC, 2 if a member server, and 1 if a client – it has been since NT 4.0 and that has never changed. Until this update is applied, the maximum value is 10. After the update is installed, the maximum value is 150. Generally speaking, since DCs are authenticating users and most companies are not heavily using local member accounts, it only needs to be set on domain controllers.

For all those folks that got scared when we recommended setting the value to 10 in order to fix your issue, this is the proof that you were being paranoid. 🙂 You will see more DC memory usage when you raise the value, but your alternative is obviously far worse.

This has no effect on Kerberos at all and Kerberos is not restricted in this fashion. If you’re using NTLM unnecessarily (misconfigured app, older version app, crummy app, external trust instead of forest trust, etc.) then getting Kerberos in gear is a much better solution than registry band-aids.

Other updates

There are 795 public fixes that were rolled into SP1 and they’re all listed here:

Of these, 104 can be considered “pure” Directory Services updates if you go off the list of what gets supported by the DS team here in Microsoft. Another 59 updates fix things that victimize DS – stuff like networking, file system, SMB, or backups. There are other fixes in SP1 as well. Sometimes issues never get public attention or a QFE would be too expensive or risky; service pack testing is far more comprehensive. I’m not including security updates, you already have those from Windows Update (right?!)

There are some fairly interesting new things here besides the two arbitrary ones in the release notes, I recommend giving these tables a look. For example:

977542 – A hotfix is available to block standard users from logging on to a Window 7-based or Windows Server 2008 R2-based computer in safe mode

979294 – The Dcdiag.exe tool takes a long time to run in Windows Server 2008 R2 and in Windows 7

Pure DS updates

Instead of the specified startup program, the whole desktop is started on a remote desktop connection when you change the “Terminal Services Profile” setting for the user account

969867

FIX: You cannot import or paste some group policies across domains by using the “Group Policy Management” MMC snap-in

970840

Some settings in Group Policy Preferences for Internet Explorer 7 do not deploy correctly to computers that are running Windows Server 2008 or Windows Vista

971277

You cannot access an administrative share on a computer that is running Windows Vista or Windows Server 2008 after you set the SrvsvcDefaultShareInfo registry entry to configure the default share permissions for a network share

971338

The terminal server roaming profile of a user account is not loaded correctly on a terminal server that is running Windows Server 2008 R2 or Windows Server 2008 after the user password is changed during session logon

972069

A terminal server that is running Windows Server 2008 cannot obtain terminal licenses from a Terminal Server license server that is running Windows Server 2008 after you enable the “License Server Security Group” Group Policy setting

974893

FIX: An unexpected Failure Audit event is logged for the local credential when you run a .NET Framework 2.0-based application that tries to connect to a remote computer

975142

You cannot install Active Directory Domain Services on a member server that is running Windows Server 2008 or Windows Server 2008 R2 in a branch office if the DNS and LDAP communication between the branch office and the forest root domain is blocked

975363

A time-out error occurs when many NTLM authentication requests are sent from a computer that is running Windows Server 2008 R2 or Windows 7 in a high latency network

976398

LDAP filters in the Group Policy preference settings do not take effect on a computer that is running Windows Server 2008 R2 or Windows 7

976399

FIX: You cannot apply Group Policy settings on a computer that is running Windows 7 or Windows Server 2008 R2 when security group filters are used in Group Policy preference settings

976424

Error code when the kpasswd protocol fails after you perform an authoritative restore: “KDC_ERROR_S_PRINCIPAL_UNKNOWN”

976494

Error 1789 when you use the LookupAccountName function on a computer that is running Windows 7 or Windows Server 2008 R2

976586

Error in Windows 7 or Windows Server 2008 R2 when unlocking a computer or switching users

976655

You cannot perform a system state restore in the Directory Service Restore mode on a read-only domain controller that is running Windows Server 2008 R2 if DFS Replication is used to replicate the SYSVOL folder

977180

Error message when an application or a service tries to query for any deleted objects by using a well-known GUID in a Windows Server 2008 R2-based domain if paged search is used: “0x8007202c Critical extension is unavailable”